Peril in firms like Acxiom? U.S. looks
Posted: August 30, 2013 at 12:20 a.m.
Days after the Sept. 11, 2001, terrorist attacks, the FBI descended on Acxiom Corp.’s Little Rock headquarters.
The agents’ task: comb through databases for information about the 19 hijackers who crashed four planes into the World Trade Center, the Pentagon and a Pennsylvania field.
Acxiom executives had called in the FBI after spotting the hijackers’ names in the company’s databases. Their find created a partnership between the company and the law enforcement agency, and ultimately led to the expansion of the use of Acxiom’s data beyond marketing campaigns.
Now data collected about the public - the same information that Acxiom and the FBI used in 2001 - is the target of another inquiry.
The Defense Advanced Research Projects Agency, a research agency under the U.S. Department of Defense, is preparing to examine potential national-security risks posed by such public data.
Members and analysts of the data-collecting industry contend that personal data collected by businesses such as Acxiom can help protect the country rather than harm it. But access to data is a worry to others concerned about how the government will use it.
The same information that helped the FBI and Acxiom locate conspirators in the Sept. 11 attacks might also be a threat to national security, according to an online posting by the Defense Advanced Research Projects Agency.
The military agency, which develops new technology, said in the posting that it is looking to hire researchers who can “investigate the national security threat posed by public data available either for purchase or through open sources.”
This includes developing tools that can measure the effect of public data on national security and protect the country against malicious use of the data.
The agency’s public-affairs department said in an email it was “unable to accommodate” the Arkansas Democrat-Gazette’s request for an interview about the agency’s quest for researchers.
Unknown is the effect the result of the inquiry will have on data-mining and technology companies.
The research agency said on its website that it was created to “prevent strategic surprise from negatively impacting U.S. national security and create strategic surprise for U.S. adversaries by maintaining the technological superiority of the U.S. military.”
The post by the defense research agency said it also will determine whether the availability of personal data provides adversaries with “tools necessary to inflict nation-state level damage.”
In the posting, the research agency said the Army,the Navy and the Air Force were interested in operational security and protecting their plans and operations from vulnerabilities that might exist in public data.
In its online posting, the agency cites Netflix’s 2009 contest to improve movie-selection algorithms as a reason for the inquiry because it made it possible to identify a person using collected data.
“An unintended consequence of of the Netflix Challenge was the discovery that it was possible to de-anonymize the entire contest data set with very little additional data,” the post said.
The ability to use information from different sources to identify a person is a growing problem within the expanding data industry, said Brajendra Panda, a professor in the computer-science and computer-engineering department at the University of Arkansas at Fayetteville.
He said that because data are stored at multiple sites, it is easy to draw together small pieces of data from different sources to make connections.
“What you block at your site, someone might give access to,” said Panda, who also works for the university’s Center for Information Security and Reliability.
“The moment we want to share the data we create loopholes there,” he said. “They will take advantage of the weakest link you have.”
When the FBI scoured Acxiom’s databases after the Sept. 11 attack, the agency searched through information on the public that Acxiom gathers and data the company handles for clients.
Acxiom is primarily known for its role as a data broker. The company aggregates data about hundreds of thousands of people and then sells the information to its customers, such as retailers, to use in targeted marketing campaigns.
Acxiom gathers its data from public records and from an individual’s in-store shopping habits. Acxiom also has purchased a license from the U.S. Postal Service to access addresses stored in the National Change of Address registry.
Charles Morgan, who was chief executive officer of Acxiom in 2001, said the company and the FBI went to many of Acxiom’s big customers, especially banks, with subpoenas to access their customer data.
“We tried to help find the bad guys,” he said. “We had a rush of patriotism.”
Although Acxiom had worked with political parties before, this was the first time the company had dealt with a government agency, Morgan said.
“Our business was primarily focused on marketing,” he said. “We were worried about how to find a good credit card for someone. As soon as 9/11 happened, it didn’t take long to say that certainly the techniques we use to find a new credit-card person can certainly help us find bad guys.”
He said Acxiom worked with the FBI for no cost, but said the company did acquire entry and exit visa data from the government and that company officials met with Vice President Dick Cheney after the investigation.
After the FBI used Acxiom’s data to collect information on 9/11 conspirators, Acxiom offered several of its services to the government.
The government now uses Acxiom’s identification service, said Jennifer Barrett-Glasgow, chief privacy officer for Acxiom.
She said confidential agreements prevent the company from disclosing which government agencies use its data.
Acxiom also offers analytical consulting to its clients, including the government, Barrett-Glasgow said.
Industry members and analysts say that data collection can help protect the country.
“Data has huge value in national security,” Barrett-Glasgow said. “Big data has to be secured because it has huge value when used appropriately”
Matthew Howard, with Norwest Venture Partners, an investment firm based in Palo Alto, Calif., said: “We’re definitely becoming much more of a knowledge economy in the United States. As you create value in data … it becomes increasingly valuable. Whenever you create value there’s potentially a bad character out there that might want to steal that information.”
Information found in databases after Sept. 11, 2001, might have prevented the attacks, said Kaye McKinzie, assistant professor in management information systems at the University of Central Arkansas.
McKinzie worked as a military police officer and analyst and in counter terrorism during her 23 years in the Army.
“We had all this information in so many different locations that it never got pulled together to work in a law enforcement manner,” she said. “The question is: What data do you give to the right people at the right time to make the decision they need to make?”
Privacy is a concern when it comes to personal data. The National Security Agency recently used its Prism system to access private communications on the sites of nine technology companies, including Google and Facebook.
“Big data automatically is not necessary a boon for national security,” said Jeffery Chester, with the Center for Digital Democracy in Washington, D.C. ‘The very same capability that can identify a potential terrorist can be used to discriminate against an individual.”
The post by the Defense Advanced Research Projects Agency said it will specifically research data sources that are available for public purchase.
The post also hints of social media as a potential threat to national security.
“Current trends in social media and commerce, with voluntary disclosure of personal information, create other potential vulnerabilities for individuals participating heavily in the digital world,” it said.
“The issue there is [that] people assume privacy,” said Panda, the professor with the University of Arkansas. “If I know that I don’t have privacy there, I will be careful in storing data.”
He said customers should be told more often how much privacy they are being afforded by a service and how well their personal information will be protected.
“No, companies don’t do a good job at telling people,” Panda said. “Even if they do, they are not telling the full truth.”
Front Section, Pages 1 on 08/30/2013